Apologies if this is a "double post" however I didn't see this turn up on the list
when I posted it yesterday...
I have a problem that isn't really affecting the users experience, however it is
really clogging up the access.log with alot of TCP_DENIED entries.
I have turned up logging to
debug_options ALL,2
so that I can see what's going on with the ACL's
I have the following auth_param's acl's & rules:
-------------------------------------------------------------------
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 25
auth_param ntlm max_challenge_reuses 5
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Proxy Server
auth_param basic credentialsttl 2 hours
acl blockedsites url_regex -i "/usr/local/squid/etc/acls/block.acl"
acl unblockedsites url_regex -i "/usr/local/squid/etc/acls/unblock.acl"
acl AuthorisedUsers proxy_auth REQUIRED
acl Group_WebBrowsers external NT_global_group Web_Browsers
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blockedsites !unblockedsites
http_access allow AuthorisedUsers Sites_AllUsers
http_access allow AuthorisedUsers Group_WebBrowsers
http_access allow localhost
http_access deny all
http_reply_access allow all
-------------------------------------------------------------------
and my logs are showing the following (note this is a combination of access.log &
cache.log):
-------------------------------------------------------------------
1091084609.250 351 10.49.4.164 TCP_DENIED/407 2112 GET http://www.google.com.au/ -
NONE/- text/html
1091084609.301 4 10.49.4.164 TCP_DENIED/407 2134 GET http://www.google.com.au/ -
NONE/- text/html
2004/07/29 17:03:29| The request GET http://www.google.com.au/ is DENIED, because it
matched 'AuthorisedUsers'
2004/07/29 17:03:29| The request GET http://www.google.com.au/ is DENIED, because it
matched 'AuthorisedUsers'
2004/07/29 17:03:29| clientReadRequest: FD 67: no data to process ((11) Resource
temporarily unavailable)
2004/07/29 17:03:29| aclMatchExternal: NT_global_group = 1
2004/07/29 17:03:29| The request GET http://www.google.com.au/ is ALLOWED, because it
matched 'Group_WebBrowsers'
2004/07/29 17:03:29| The reply for GET http://www.google.com.au/ is ALLOWED, because
it matched 'all'
2004/07/29 17:03:29| clientReadRequest: FD 67: no data to process ((11) Resource
temporarily unavailable)
1091084609.684 382 10.49.4.164 TCP_MISS/200 3229 GET http://www.google.com.au/
mydomain\myusername DIRECT/216.239.57.147 text/html
-------------------------------------------------------------------
Now this is weird because I have no ACL that denies AuthorisedUsers - so why is it
saying that the GET is denied because it matches AuthorisedUsers and then allowing
it because it matches Group_WebBrowsers?
Regards,
Rob Hadfield
Received on Fri Jul 30 2004 - 14:05:49 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:03 MDT